Spam accounts for 65% of the total volume of global internet email traffic according to Cisco’s 2017 Annual Cybersecurity Report. The Report also points out that hackers are successfully using automated attacks on your company’s networks, leaving them more time to attempt other strategies to bypass your network defenses.1

What does this mean for you and your organization? Security awareness must be a priority across the board. In this blog we will outline three methods hackers use to trick your employees into revealing confidential information, possibly Protected Health Information, your organization has in its possession.

Social engineering is a term in computer security that refers to schemes hackers use to access your computer systems. The weakest link in most systems is the user; therefore, it’s extremely important you and your employees understand how it works.

For hackers, the three top methodologies of malicious social engineering according to Social-Engineer, Inc are:

Phishing: The practice of sending emails appearing to be from reputable sources with the goal of influencing or gaining personal information.

Vishing: The practice of eliciting information or attempting to influence action via the telephone, may include such tools as “phone spoofing”.

Impersonation: The practice of pretending to be another person with the goal of obtaining information or access to a person, company, or computer system.2

Phishing

Hackers use phishing emails to trick people into clicking links that often lead to the installation of malware or ransomware on your computer or possibly giving up your personal information. Criminals are looking, or phishing, for your personal information. This can be a simple email asking for you to verify your Gmail account or a PayPal account.

In our blog, Social Engineering and HIPAA, we provided key ways to identify phishing emails as fraudulent:

Grammar mistakes and misspellings

Threatening language

Fantastic job offers or promotions

The link addresses don’t match the sender of the email; such as the Google title being spelled with zero’s instead of the letter o

Requests for money

Unsolicited requests to change passwords

In general, anything that sounds too good to be true usually is

Take note to not click on the email or any corresponding links. This simple action can open up your entire company to a whole host of issues, and cause issues for your entire network.

Vishing

The practice of vishing is similar to phishing attacks but via the telephone. It is the practice of calling an individual and eliciting information or attempting to influence action.3 Two common techniques used for vishing are the attacker calling into customer service or the help desk of a company and the attacker acting as technical support.

In one technique common for vishing, the attacker calls a receptionist or customer service knowing that these individuals deal with clients in a positive manner to help solve their concerns with the organization. Due to the lack of training and the desire to give the caller a positive experience, customer service is likely to oblige any requests the caller has during the phone call. When a caller is asking for a password reset to their online account or asking for the credit card on file, have them verify some information only the corresponding individual would know.

Another effective technique used by hackers, they will have a user click on a link that allows the hacker to take over their computer, and voila, they have access to the system. Unless the technician is new to an organization, have the same person work on your computer. Question the technician if they are unfamiliar to you and verify they are an employee.

Impersonation

Impersonation is the practice of presenting oneself as someone else in order to obtain private information. One common attack is to impersonate a delivery person (e.g. Postal Service employee, FedEx delivery driver). Impersonating a delivery person is an effective attack and an easy attack since not much acting is involved. When a package is being delivered to your place of business, make sure to verify the credentials of an unfamiliar deliverer.4

How to Protect Yourself

Be sure to do a little social engineering of your own. Train your employees on how to use their workstations properly, how to recognize malicious emails, and help protect your systems. A key part of this is training your staff on HIPAA, and how they can support your efforts to keep client information safe. HIPAA security training covers these potential attacks on your system and much more.

In today’s digital world, information is more prone to hacking than ever before, which creates a serious safety issue. Most websites can be developed and hosted on the Internet without thinking much about safety. Healthcare practices and other establishments in the medical industry, however, must proceed with caution for various safety reasons. In order to protect patients’ records and maintain confidentiality, medical institutions must create websites that are HIPAA compliant.

WHAT IS HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that provides protection and security for patients’ medical information. The U.S. Department of Health and Human Services enforces this law and sets HIPAA rules and regulations. HIPAA has two rules that must be followed to be compliant with regulations. The first rule, known as the Privacy Rule, pertains to protecting the private health information of a patient. The second rule, known as the Security Rule, encourages data security measures. This rule is particularly important to address when information is stored electronically.

How to Make Your Website HIPAA Compliant

Patients’ confidential information is most likely at risk if medical websites are being hosted with protection that provides basic encryption. In order to avoid violating HIPAA rules, websites must attain a high-level protection. This concern only comes into play when sensitive information is being collected and a third-party is involved in the transaction of data.

One of the ways to encrypt the transmission of data is by ensuring the website is secure. Secure Sockets Layer (SSL) can be used to prevent data leaks. Before entering any personal information onto a medical website, be sure to look at the URL. Websites with an HTTPS:// have an SSL Certificate that encrypts communication between a web browser and a web server. This means that the medical institution is following HIPAA laws.

Another way to ensure HIPAA compliance is by using forms to collect data that provide that extra security and protection. Typical Content Management Systems (CMS) may not have that level of security so it is best to use a third-party form builder that would be HIPAA Compliant. Cognito Forms is one of the best form builders that provide SSL encryption, data encryption as well as a secure hosting environment.

Medical Website Design

Healthcare websites must ensure the safety and protection of its patients is a top priority. As technology is constantly changing and becoming more accessible, it’s becoming increasingly important to have a high-level security system on your medical website.

Here at Today’s Business, we have years of experience in building websites for our clients in the healthcare industry. No matter if you are a private practice or public institution, we can help you achieve a HIPAA compliant website that looks great on desktops, tablets, and mobile devices. We can take over your Content Management System and provide your patients’ data the safety that it requires. Contact us now to find out more!

As you know, 2016 is a big year for HIPAA compliance audits. The Office of Civil Rights (OCR), mandated to conduct random audits under the HITECH Act, gave plenty of warning that this year's random compliance audits would begin with a renewed focus on smaller practices (15 or fewer providers) and include Business Associates (BAs) in the audit protocols.

Because practices have been under HIPAA for years, it's easy to get complacent, but HIPAA fines are nothing to take lightly. Last year, OCR issued a record number of fines for violations including $4.8 million for lack of a firewall (New York Presbyterian), $1.7 million for theft of unencrypted laptop (Concentra Health Services), and $800,000 for unsecured medical records (Parkview Health Systems).

Here's a checklist to help you prepare for HIPAA compliance this year.

Technical Safeguards

Implement a system of access control including unique user names and PINs, plus protocols governing release of ePHI in the event of an emergency.

Ensure a system is in place to authenticate all ePHI; make sure no information is altered or deleted in a way that violates HIPAA guidelines.

Implement an encryption system for all information sent and received outside the organization's internal firewall.

Initiate and/or carry out a system of ePHI access control audits.

Make sure an automatic log-out protocol is in place for all devices used to access ePHI.

Physical Safeguards

Ensure procedures are in place to record anyone with physical access to areas where ePHI is stored (managed service providers, cleaners, engineers, etc.)

Implement safeguards for workstations and develop protocols for which functions may be performed on workstations in unrestricted areas.

Develop protocols for ePHI use on mobile devices, including guidelines for removing information from devices no longer in use.

Maintain accurate inventory of all hardware and devices.

Administrative Safeguards

Conduct routine risk assessments and develop a risk management policy including sanctions for employees not in compliance.

Implement HIPAA awareness training, including how to identify malicious attacks/malware; be sure to maintain documentation of training sessions.

Develop and test a contingency plan to govern the integrity of ePHI when/if the entity operates in emergency mode.

Develop and document protocols to issue HIPAA breach notifications to affected patients and to the DHHS in the event the breach affects more than 500 individuals.

Omnibus Considerations

The new Omnibus rules update HIPAA compliance standards, especially with regard to Business Associate Agreements (BAAs). Under the new guidelines, covered entities must now:

Update BAAs to include language making all BAs aware that they are bound by the same security and privacy rules governing covered entities, which means they must implement the same technical, physical, and administrative safeguards as covered entities, and are under the same reporting regime for breaches of ePHI.

Issue updated BAAs to all business associates; a signed, HIPAA compliant BAA must be on file before the entity uses the BA's services.

The U.S. Department of Health and Human Services Office for Civil Rights released a cyber newsletter highlighting the importance of audit controls.1Why are audit controls so important? Logs are a critical way, not to mention required, for your company to monitor activity on your network. Whether this traffic is from an employee or another source, these logs are vital to protecting the information your organization holds.

On January 18th, a former paramedic for MedStar Ambulance was indicted in a federal identity theft and fraud case involving allegations he altered patient records as part of a scheme to steal narcotics from a local hospital starting January 2013 and ending in May 2015.2 The paramedic was finally caught after someone discovered his logs had various irregularities compared to the corresponding hospital records. This incident highlights just how important it is to maintain detailed logs and to monitor regularly.

In plain English, this means that an organization that is required to have audit logs. Whether you are a medical or dental practice, health insurance agency, or an employee of an organization that manages health records, you need to record and review audit logs to stay compliant with HIPAA and protect the information you maintain.

The kinds of information you should be logging include:

User logging in

Changes to databases

Adding a new user

Giving a user new level of access

Files a user has accessed

Operating System Logs

Firewall logs

Anti-malware logs

This extends beyond your electronic systems. If you are still using paper files to store information, you need to have logs of who is accessing information, and if files are removed from the file room. This may be done by having employees sign out files before they remove them from the file room.

Any physical assets that need to be repaired or are in line to be decommissioned should also be logged. This will make sure you are properly protecting or sanitizing these devices.

Many of the software systems you currently use already have the ability to keep detailed logs of activity. The key will be for your IT department to consolidate these logs so it is easy to review if there is ever a question or issue for your team to investigate.

In the event of a security incident, audit trails and logs should be reviewed as soon as possible. to determine if there is tampering with the information. Outside of cyber security incidents, audit trails can help you identify flaws in your network before things go wrong. This process will also help you make sure applications are performing as intended.

How to Maintain Compliance with HIPAA

Keeping detailed logs is the first step towards HIPAA compliance. Create detailed policies and procedures around audit handling, educate staff on changes in procedures, and keep up-to-date with regular reviews of audit logs and audit trails.

You should also be prepared to keep these logs for a minimum of 6 years as is required for HIPAA Compliance. These logs should be stored in a raw format for at least six (6) months to one (1) year. After that, you can store these logs in a compressed format.

HIPAA, the Health Insurance Portability and Accountability Act, sets the standard for protecting sensitive patient data. Any company that deals with protected health information (PHI) must ensure that all the required physical, network, and process security measures are in place and followed.

This includes covered entities (CE), anyone who provides treatment, payment and operations in healthcare, and business associates (BA), anyone with access to patient information and provides support in treatment, payment or operations. Subcontractors, or business associates of business associates, must also be in compliance.

The HIPAA Privacy Rule addresses the saving, accessing and sharing of medical and personal information of any individual, while the HIPAA Security Rule more specifically outlines national security standards to protect health data created, received, maintained or transmitted electronically, also known as electronic protected health information (ePHI).

If you are hosting your data with a HIPAA compliant hosting provider, they must have certain administrative, physical and technical safeguards in place, according to the U.S. Department of Health and Human Services. The physical and technical safeguards are most relevant to services provided by your HIPAA compliant host as listed below, with detail on what constitutes a HIPAA compliant data center.

Physical safeguards include limited facility access and control, with authorized access in place. All covered entities, or companies that must be HIPAA compliant, must have policies about use and access to workstations and electronic media. This includes transferring, removing, disposing and re-using electronic media and electronic protected health information (ePHI).

Technical safeguards require access control to allow only the authorized to access electronic protected health data. Access control includes using unique user IDs, an emergency access procedure, automatic log off and encryption and decryption.

Audit reports, or tracking logs, must be implemented to keep records of activity on hardware and software. This is especially useful to pinpoint the source or cause of any security violations.

Technical policies should also cover integrity controls, or measures put in place to confirm that ePHI hasn’t been altered or destroyed. IT disaster recovery and offsite backup are key to ensure that any electronic media errors or failures can be quickly remedied and patient health information can be recovered accurately and intact.

Network, or transmission, security is the last technical safeguard required of HIPAA compliant hosts to protect against unauthorized public access of ePHI. This concerns all methods of transmitting data, whether it be email, Internet, or even over a private network, such as a private cloud.

A supplemental act was passed in 2009 called The Health Information Technology for Economic and Clinical Health (HITECH) Act which supports the enforcement of HIPAA requirements by raising the penalties of health organizations that violate HIPAA Privacy and Security Rules. The HITECH Act was formed in response to health technology development and increased use, storage and transmittal of electronic health information.

The HIPAA Omnibus Rules dramatically elevated your risk of data breaches. From lowering the breach standard to requiring documentation on why you think that you didn’t commit a breach, your practice needs to diligently work to avoid problems and properly handle a breach. An event that compromises the security or privacy of Protected Health Information (PHI) is considered an impermissible use or disclosure of PHI. Impermissible use or disclosure is a breach unless you can show that there was a low probability that the PHI was compromised. This is not an academic discussion since you are required to properly notify patients and the Department of Health and Human Services (HHS) about breaches, and you are subject to fines for breaches. For example, mailing patient information to the wrong party, and unauthorized access to your electronically stored patient records are breaches unless you can show that there is low probability that PHI was compromised.

There are three exceptions to the breach trigger: unintentional acquisition, access, or use of PHI while employees are performing their jobs, inadvertent disclosure to someone authorized to access PHI, and situations where you have a good faith belief that the recipient will not be able to retain the information. For example, a fleeting view of some PHI on a computer screen may not be considered a relevant incident. Using a “good faith evaluation” and “reasonable conclusion”, you evaluate the incident based on four factors:

PHI Nature and Extent: The sensitivity of the information and ability to identify the patient as well as presentation options are factors in determining the probability. Deidentifying PHI is not easy or straightforward. In addition to name and phone numbers, a picture of a face or a free form text note about the patient could easily lead to identifying the patient. For example, a list of dated deidentified lab results with a separate list of patient appointments for the day of the lab would not present a low probability of compromise. On the other hand, loss of electronically stored diagnostic data that requires special software from the device manufacturer may present a low probability of compromise. This answer would be different if the lost information was PHI contained in an unsecured PDF file.

Unauthorized Person Received or Used PHI: The status of the recipient of the PHI may offer a reasonable way to avoid a breach. For example, sending the patient report to the wrong doctor may lead to a low probability of compromise since the receiving doctor has been properly trained in HIPAA Privacy and Security.

Actual Acquisition or Viewing of PHI: If your organization quickly uncovered the incident, you may be able to prevent the viewing or even possession of the PHI. For example, contacting the receiving party and recovering the information before the other people open the information may present a low probability of compromise. Similarly, if an envelope with PHI was lost, but upon recovery, you determine that the envelope was never opened, you may have a low probability of disclosure or use.

Mitigation Factors: In the final step of your evaluation, you can determine if there were mitigating issues that lead you to a good faith and reasonable conclusion that the information was not disclosed. For example, a thumb drive containing PHI on a patient lost in a healthcare facility but recovered in a nonpublic area may present a mitigating factor.

If you determine that the probability of compromised PHI is low, you do not have a problem. Otherwise, you have a breach and have to respond according to the breach notification requirements. If you have encountered a breach, within 60 days of discovery of the breach, you have to:

Contact the Patients: You have to mail a letter to the last known address of the affected patients. If you cannot contact more than 10 patients, your website or public media with an 800 number should be publically presented for 90 days.

Inform HHS: You have to maintain a log of breaches to send to HHS annually. If a breach involves over 500 patients, you have to directly contact the Office of Civil Rights.

With the lower “bar” for a breach and the documentation standards, your practice needs to maintain appropriate procedures, train employees, and enforce your policies to minimize the risk of impermissible uses and disclosures. In order to monitor evolving issues and avoid future problems: Review each data breach to determine if changes to policies and procedures need to be made as well as remedial training to avoid future breaches.

On a periodic basis review the impermissible use and disclosures for trends and issues that may require adjustments to your HIPAA compliance strategy. Indeed, continuing incidents that are not breaches could indicate a serious weakness that could lead to a breach. For example, continuing loss and recovery of EHR backups could indicate the need to change the backup procedures or strategy. Breaches can cost you money and undermine the confidence of your patients in the confidentiality of their PHI. With the lower breach trigger and the documentation requirement for your analysis to determine if a breach has occurred, you need to work to avoid breaches as well as impermissible uses and disclosures.

Maintaining HIPAA compliance and numerous data privacy and security mandates is of paramount importance for healthcare organizations. Since HIPAA is not a one-size-fits-all regulatory regime, best practices for data privacy and security programs demand attention to the specific operating environment of each and every healthcare provider.

To ensure compliance, healthcare organizations must implement policies and procedures that are tailored to their operations and the size of their organization.

To complicate matters, many organizations are also challenged by the need to balance both digital and paper documents while maintaining HIPAA compliance. Many healthcare organizations handle paper documents and digital files smoothly, however it’s the integration of the two that can add increased compliance layers and often hamper productivity.

This can be solved with a combination of procedures and technologies that enable rapid paper-to-digital and digital-to-paper transformation and transmission, ensuring patient care is handled efficiently and within compliance demands. Printers, scanners, faxes, and multifunction devices can provide a highly connected on-ramp/off-ramp between digital healthcare systems and physical documents.

Further, healthcare organizations must understand how compliance requirements apply to these devices.

Both electronic data and paper records are subject to the HIPAA Privacy and Security Rules – a set of federal rules first adopted some 15 years ago and substantially revised in 2013 under the HITECH Act.

However, some healthcare organizations are surprised to learn that the risk of non-compliance can greatly increase with the misuse of office devices such as printers, scanners and fax machines. As a result, it is incumbent upon healthcare providers — in both clinical and administrative environments — to institute sound data handling practices for these devices and the documents processed by each.

Maintaining good data “hygiene” with paper records and files is made easier with user-friendly, compliant print/fax/scan devices and compatible software. Knowledgeable solution providers can assist in integrating hardware and software necessary to ensure the best practices.

To attain compliance with printers, adhere to the following guidelines:

Allow users to password-protect print jobs that may only be retrieved via a PIN at the device’s control panel. This prevents sensitive documents from sitting unattended on output trays of shared printers.

Configure printers to support face-down printing, faxing, and copying to guard against inadvertent viewing by unauthorized staff.

If you must fax, bypass hard-copy printouts by using PC-to-fax or “e-fax” function.

In some cases, moving paper workflows to electronic and automated processes can introduce new efficiencies and increase data security. Turn to tools such as scan-to-email, scan-to-workflow, and electronic file search and retrieval to help bring paper records into the digital workflow.

For many healthcare organizations, the most convenient HIPAA compliant way to transmit information is still by fax technology. Many fax devices are built with advanced security features to address the increasing demand for secure document management. Apply these practices to assist in compliant faxing:

Ensure that all faxes are received into memory and cannot be printed without a password, or through an NFC card reader for user-based walk-up authorization.

Enable secure faxing and fax forwarding to help maintain patient confidentiality by restricting or granting access and privileges on a per-user or per-group basis.

Once device and data policies and procedures are in place, a healthcare organization should conduct a risk assessment and repeat it annually – or even more frequently if it changes any of its hardware, software, or other controls.

This includes taking an inventory of assets that may be related to health data, including office equipment such as scanners, printers, fax machines, and copiers, to identify both the breach potential inherent in those pieces of equipment and their related software tools, and the steps taken to minimize the likelihood of a data breach. At the same time, healthcare organizations should also think about how to ensure data integrity.

From the triage desk to the operating room, fast-paced, regulation-laden healthcare environments leave no room for error. Healthcare organizations can earn the trust of patients, employees and partners by implementing compliant strategies and technologies to help meet HIPAA challenges while balancing paper records and digital documents.

This approach, informed by the regulatory environment and underpinned by the hardware and software capabilities of compliant information systems, enable efficient workflows to provide care while maintaining compliance with required data privacy and security policies. The end result can produce a more efficient use of printer/scan/fax devices, with significantly reduced risk of non-compliance.

You totally meant to get HIPAA compliant but it looked kind of hard and maybe too expensive so you put it off. Or maybe you just thought that no one would ever notice that you weren't HIPAA compliant. Then something happened; a patient complaint, a competitor files a complaint with HHS, a breach happens at one of your BAs, an ex employee files a complaint or you get picked for an audit.

It could start benignly with a request for certain documentation such as your risk assessment or copies of your security and privacy policies. If you can't produce these documents then you are already in willful neglect. But what if these documents are out of date or you claim that you have oral policies? Willful neglect. What if you did staff training but didn't document it? Willful neglect.

So, as you can see there are a lot of potentially dangerous scenarios. What is the definition of willful neglect? Willful neglect is defined as “conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.” 45 CFR 160.401. Section 13410(a) of the HITECH Act [123 STAT.

But what are the consequences of being found in willful neglect? The answer is huge fines, action plans for maintaining compliance, bad public relations, monitors, etc. etc. The total cost of a breach has been calculated at $355 per patient record. Recently there was a $450,000 penalty for the loss of 388 patient records.

Clearly, penalties for willful neglect would cause many companies to at least consider bankruptcy. The way to avoid these draconian penalties is simple, do something. Get some on-line security awareness training for your staff. This costs as little as $20 per year per staff member. Get a risk assessment and then start updating your policies.

Safeguarding protected health information is becoming more challenging every day—especially for companies operating in healthcare verticals who don’t always understand that compliance issues apply to them. Yet, under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule, companies operating in a variety of healthcare verticals are categorized collectively as “Business Associates” (BAs) and, as such, are required to act in accordance with the HIPPA regulations.

HOW DO YOU DEFINE “HEALTHCARE COMPANIES”?

What kind of healthcare companies does this include? The short answer: More than you think. Healthcare companies and anyone operating in a healthcare vertical include anyone who has access to electronic patient health information (ePHI) and any organization that stores, transmits or receives ePHI.

Companies operating in the healthcare space who are subject to HIPAA rules can include (but are not limited to) organizations that provide the following services:

Revenue cycle management

Coding/Documentation services

Collection and A/R recovery services

EHR SW and solutions

Patient records management services

Document management services

Medical SW/SAAS services

Mobile healthcare services or applications

Healthcare IT services

Practice management services

Contract management services

Radiation document and image management services

Health plan administration and services

These are but some of the many companies operating in the above healthcare verticals who could be considered a Business Associate under HIPAA regulations. Any company that provides services to organizations defined by HIPAA as “Covered Entities” may well find itself subject to compliance regulations with which they are not familiar.

WHAT ARE “COVERED ENTITIES”?

HIPAA defines “Covered Entities” as health plans, healthcare clearinghouses, and healthcare providers who electronically transmit health information in connection with transactions for which HHS has adopted standards. The HIPAA Omnibus Final Rule goes into stipulations for Business Associates in greater detail. What BAs should take away from the Final Rule is that they may be held liable in the event of a HIPAA breach in many of the same ways that Covered Entities (CEs) may be.

THE COST OF NONCOMPLIANCE

The risks and costs of being found non-compliant can be steep. The Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) recently agreed to a settlement for potential HIPAA violations caused by the theft of a mobile device that contained the ePHI of 412 patients. According to the U.S. Department of Health and Human Services notification, the CHCS provided management and information technology services as a Business Associate to six skilled nursing facilities. The settlement included monetary payment of $650,000 and a corrective action plan.

In a statement relative to this case, U.S. Department of Health and Human Services Office for Civil Rights (OCR) Director Jocelyn Samuels said “Business associates must implement the protections of the HIPAA Security Rule for the electronic protected health informationthey create, receive, maintain, or transmit from covered entities,” said “This includes an enterprise-wide risk analysis and corresponding risk management plan, which are the cornerstones of the HIPAA Security Rule.”

THE IMPORTANCE OF THE BUSINESS ASSOCIATE AGREEMENT (BAA)

Healthcare companies, vendors, or providers who qualify as Business Associates are required to sign a HIPAA Business Associate Agreement (BAA). The document is an integral part of any contractual agreement with any provider of services, products, or applications, and must provide detailed information explaining how the BA will respond to a breach of any kind, including one caused by any subcontractors used by the BA. The BAA must also describe how a BA will respond to an audit by the Office for Civil Rights (OCR).

HIPAA rules holds Covered Entities responsible for their own data breaches, as well as many of the things over which their BAs have direct control. If a CE is audited, their BAs may be required to provide certain files or documents in a very short amount of time, as prescribed by HIPAA. The BAA acts almost like a service level agreement (SLA) that ensures these and other needs will be promptly met.

For companies of all types and all sizes, this is serious business—and the regulatory authorities are intensifying their focus on any business operating in the healthcare space as it relates to compliance. Fines are being assessed with increasing regularity and all businesses operating in the healthcare space should take note.

To illustrate the importance of a having a BAA in place, a Raleigh, N.C. orthopedic clinic agreed to pay $750,000 to settle charges that it potentially violated the HIPAA Privacy Ruleby handing over protected health information (PHI) for approximately 17,300 patients to a potential business partner without first executing a business associate agreement.

“HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise,” said Jocelyn Samuels. “It is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected.”

HHS provides a template for business associate agreement language on its website to help covered entities and business associates execute agreements that address the business associate contractual requirements.

HOW CAN YOU MANAGE HIPAA COMPLIANCE ISSUES?

Compliance with HIPAA regulations is a long-term process and at times can feel overwhelming. Yet, for companies operating in the healthcare industry, the risks associated with non-compliance are huge. Staying apprised of changes to HIPAA regulations can be a daunting task, but here are some actions you can take to make sure you know the latest.

Know Where to Find Resources. The Office for Civil Rights (OCR) provides a wealth of online information about safeguarding ePHI including FAQs, guidance, and technical assistance materials. One easy way to stay updated is to sign up for the OCR announcement-only Privacy and Security Listservs.

Ask Questions. It’s critical that you ensure any BAs with whom you work fully understand their responsibilities and obligations regarding compliance. Take the time to ask and answer questions and highlight the HIPAA compliance requirements for business associates. These questions can include:

What is your risk analysis plan?

Do you encrypt your devices?

What are your disclosure policies?

What are your IT practices?

How do you handle server maintenance and backup information?

Do you or your employees use personal devices for ePHI?

What are your password policies?

Describe company’s the physical security.

Do you do background checks o your employees?

What kind of training do you supply your employees?

What are your disclosure policies?

What is your breach mitigation plan?

Explore HIPAA Compliant Hosting. HIPAA compliant hosting can alleviate some of the concerns that accompany being a business associate in a healthcare vertical. By working with a hosting provider that employs HIPAA compliance processes, healthcare-focused companies can construct a comprehensive plan that will, when combined with workplace safeguards and internal best practices, allow vendor partners to reach HIPAA compliance collaboratively. This collaboration of efforts is key, since HIPAA compliant hosting alone can’t eliminate risks that exist inside the workplace. However, it can help mitigate threats to ePHI and also afford easier access and management of a company’s IT infrastructure.

By taking action to evaluate your organization’s level of compliance with HIPAA rules—and that of any business associates with whom you work—and staying on top of HIPAA regulation changes and updates, you will ensure your company is maintaining the appropriate level of compliance and avoiding the risks and penalties of non-compliance.

In 2014, NueMD, an Electronic Health Record (EHR) and billing software company, distributed a questionnaire to medical practices and billing companies to gain insights on their knowledge of HIPAA regulations, compliance measures, and communication methods.¹ There were 1197 responses, with 1037 medical practices and 160 billing companies. Two years later in 2016, the survey was distributed again to determine how much has changed in relation to the participants’ knowledge.² This time it was a total of 927 responses, with 799 medical practices and 58 billing companies. The respondents were clients of NueMD.

In this blog, we compare the data found in these two surveys. The results are surprising.

HIPAA Audits

2014: In 2014, only 32% of those surveyed were aware of HIPAA audits

2016: In 2016, 40% participants reported that they knew about HIPAA audits

Currently, audits of business associates are taking place. The first round in 2016 looked at covered entities (primarily healthcare providers). In October 2016, HIPAA audits expanded to include business associates. HHS is drawing from a list of 20,000 BAs identified in the first round of audits. Next year, OCR plans to conduct full audits for a selected group of covered entities and business associates. These audits will be more intense than previous ones because they involve auditors coming onsite for several days. HHS gives the practice 10 days to prepare. For those organizations that have not started the compliance process in advance, there is almost no way to prepare in time if you are selected for an audit.3

HIPAA Compliance Plan

2014:In 2014, 58% of those surveyed stated they had a HIPAA compliance plan in place. However, there was a disconnect between managers and staff. 68% of managers claimed to have a HIPAA compliance plan but only43% of staff.

2016:In 2016, a whopping 70% of respondents reported that they have a HIPAA compliance plan.

All organizations that come in contact with PHI should have a compliance plan in place. There are several important documents that a medical practice must complete to have a comprehensive plan. This includes Privacy and Security Policies and Procedures, Business Associate Agreements and a Risk Assessment. Based on the response to the next two questions, it is likely that not as many healthcare providers are really as compliant as they indicate.

Business Associate Agreement (BAA)

2014: 60% of those surveyed were aware that the Omnibus Ruling requires BAAs with third party vendors.

2016: The number rose to 68% of participants knowing about the BAA rules.

Business Associate Agreements Reviewed and Updated

2014: 24% of respondents had “all” of their BAAs reviewed and updated since the 2013 Omnibus Rule, and 21% surveyed said “some”.

2016: There was an increase from 2014 to 2016, with 29% responding “all” BAAs are updated and reviewed, and 19% having “some” of their BAAs up to date.

Recently OCR was notified that Women and Infants Hospital (WIH) of Rhode Island lost unencrypted backup tapes of ultrasounds of over 14,000 patients. The tapes also included PHI like names and dates of birth. WIH is a covered entity member of Care New England Health Center (CNE). CNE provides centralized corporate support for its covered entities. The two organizations signed their BAA in 2005 and had not updated it since. he Omnibus Ruling in 2013 added extra requirements to Business Associate Agreements. Failure to update their BAA to incorporate these new requirements rendered their 2005 Agreement ineffective. In the end, the outdated BAA resulted in a $400,000 settlement.

Risk Assessment

2014: Only 33% said they performed a risk analysis

2016: This question was not included in the NueMD 2016 HIPAA Survey Update

If there is a audit, one of the first things OCR will ask to see is a Risk Assessment. This helps organizations realize their potential areas of risk in regards to the PHI they handle. Failing to assess potential areas of risk in your organization is failing to protect PHI.

In July 2016, a settlement was reached with U-Miss Medical Center after a breach that affected 10,000 people. It was found that UMMC did not take adequate risk management security measures. They settled with OCR for $2.75 million.5

HIPAA Training

2014: 62% of managers reported that they provided HIPAA training for their employees.

2016: This number surprisingly dropped over the 2 years. Only 58% of organizations surveyed claimed to have provided HIPAA training.

Proper HIPAA training should educate people on the Law. Lack of training equals lack of knowledge and translates into more risk. On October 17, 2016, St. Joseph Health (SJH) settled potential violations with HHS following the report that files containing PHI were publicly accessible through internet search engines from 2011 until 2012. SJH will pay a settlement amount of $2,140,500 and adopt a comprehensive corrective action plan. As part of the corrective action plan, with HHS’ final approval of the training materials, SJH must train all appropriate workforce members, in accordance with SJH’s applicable administrative procedures and provide annual retraining.6

To help comply with the current compliance regulation, check out Total HIPAA’s latest service, HIPAA Prime™. HIPAA Prime is an easy-to-follow, cost-effective online solution for quickly developing and implementing your personalized HIPAA Compliance Plan. Whether you are a small or large organization, HIPAA Prime will satisfy all of your documentation and training requirements.

Buddy Dyer, the mayor of Orlando, requested a waiver of the HIPAA rules following the June 12 shooting at Pulse Nightclub. Families and loved ones were inquiring about the status of patients located at local hospitals, but were not provided timely reports. Many of the patients being treated at the hospitals in Orlando did not have formalized legal relationships, and the mayor felt HIPAA would slow down the sharing of information with partners.

Some healthcare professionals feel that HIPAA restricts them from providing information about patients to their families and loved ones. There are stories of loved ones denied information about elderly parents or adult children by medical professionals citing HIPAA. In many cases, healthcare professionals do not understand the flexibility of HIPAA.

In order to understand whether Mayor Dyer and healthcare providers need to be concerned about HIPAA restrictions, let’s look at the Law. The waiver described under Section 1135 of the Social Security Act includes suspending certain HIPAA provisions to protect physicians, emergency medical staff, and law enforcement agencies so that they will not face penalties and sanctions for the release of PHI in a crisis.

The suspended requirements are:

45 C.F.R. § 164.510 requiring healthcare providers to obtain a patient’s agreement so that a medical professional can speak with family members or friends or provide patients the right to opt out of the facility directory;

45 C.F.R. § 164.520, the requirement to distribute a Notice of Privacy Practices to patients; and

In 2010 President Obama issued an executive memo ordering the Department of Health and Human Services (HHS) to address the issue of hospital visitation for same-sex couples. Later that same year, the department prohibited hospitals from discriminating against visitation rights based on sexual orientation and gender identity.

A statement from HHS Assistant Secretary for Public Affairs Kevin Griffis explained the reason why the waiver was not needed in Orlando:

Entities such as healthcare organizations, governmental agencies and law enforcement are allowed to exercise professional judgment as stated under HIPAA. For example, PHI communicated by Emergency Medical Technician (EMT) via a radio to the 911 Dispatcher or between other ambulance units is also permitted through the professional judgment definition in HIPAA. For most law enforcement personnel, as well as fire departments, the HIPAA Privacy Rule does not apply to them either as disclosures are needed to perform their job duties. They can release PHI about victims of a vehicle accident or for investigation of a crime scene. The essential part to note is as long as the conversations by the personnel covered under these provisions are related to treatment-related disclosures, there is no HIPAA violation. Hospitals and large health organizations must train their emergency staff on HIPAA and their specific policies and procedures to comply with the regulations.

It seems that your medical data may not be as protected as you might first assume.

A recent report from the Department of Health and Human Services showed that the vast majority of mobile health apps on the marketplace aren’t covered by HIPAA, the Health Information Portability and Accountability Act of 1996.

HIPAA currently applies only to traditional medical establishments, such as hospitals, doctors and health insurance providers. Apps or devices used in conjunction with a doctor’s office or a hospital are not legally allowed to share or sell your information. However, there is no definitive federal law governing what happens to the data that an app developer, tech company or private individual collects.

Typically a patient using a third-party developed app enters medical information, which is then sent in some form to a physician. The data in a patients medical record would be covered by HIPAA, however the data that the third-party app developer collected would not be.

Despite being identical sets of data, stored in different computers, they have different levels of protection.

App companies although not governed by HIPAA, are better to be focussed on abiding by the standards. Any app developer found to be using unfair or deceptive practices with regards to user medical data, could be held accountable by the FTC.

As Federal regulations are increased to include app data collected by third-party developers, this will continue to be a legal grey area, and one that patients, doctors and developers all need to be aware of.

It’s important to train all staff in a multi-line agency on HIPAA Compliance

There is a great deal of crossover within a multi-line agencies. Cross-selling group or individual health insurance and other benefits, between personal lines and key commercial lines clients, has been one of the best ways to preserve a long-term relationship. To do this well, there’s going to have to be some exchange of often confidential information between different teams. Plus, the reality that there is often little to no physical or electronic separation between team members means that you need to worry about having your bases completely covered in case of an unintentional breach. Simply said: It’s very important that all parties are properly trained on these regulations — one of many reasons a multi-line agency will often require all staff to be trained on HIPAA.

Protecting PHI, NPPI and PII

Across your agency, you may have multiple agents that will have access to or come in contact with Protected Health Information (PHI), Non-Public Personal Information (NPPI) and Personally Identifiable Information (PII). In our experience, agents handling long-term care, vision, Medicare, dental and health insurances are reluctant to refer clients to agents who sell life, auto, home, commercial liability, 401(k), and Workers’ Comp if these agents are not properly trained on their responsibilities to safeguard clients’ Protected Health Information (PHI).

Gramm-Leach-Bliley (GLB) is an entirely separate federal law (from HIPAA) that dictates what insurance agents can do with personally identifiable information collected from or about consumers, or resulting from a transaction with consumers. This is commonly called Non-Public Personal Information (NPPI). Insurance agents are prohibited from disclosing NPPI as defined in GLB to nonaffiliated third parties without notifying the client or providing an opportunity for the client to opt out.

Non-health related insurances are considered financial products and are regulated by the privacy and security obligations of GLB. Many of these privacy and security concerns overlap when it comes to PHI, NPPI and PII. Everyone within your agency, whether they are working on health insurance or not, has to understand and appreciate the need for privacy of all the client information you handle.

For those of you selling products in the Federal Marketplaces (FFM), there are major concerns when it comes to privacy. Personally Identifiable Information (PII), is defined as information that can be used to distinguish or trace an individual’s identity. Information qualifies as PII in the Marketplaces when used alone or combined with other personal or identifying information linked or linkable to a specific individual. For example, a name, date and place of birth, Mother’s maiden name, an IP address, and or biometric records are some examples of PII. This is the broadest definition of individual information to date, and it is important to remember that it is not limited to only health information. PII includes financial information as well.

Marketing Guidelines

Marketing means that an agent encourages individuals to use a product or service. HIPAA, GLB and ACA have very different marketing guidelines. Under HIPAA, agents may use an individual’s PHI for marketing purposes only in face-to-face meetings and to identify clients to whom they want to give promotional gifts of nominal value. The agent may use PHI to market or handle issues related to the health insurance product itself, including marketing to different carriers. For any other uses of PHI, the agent must receive prior written authorization from the client.

GLB marketing guidelines allow an agency to shop for the best price on life insurance or other coverages with a variety of carriers, with a proper agreement in place, and a Notice of Privacy Practices given to the client. An agency is able to take NPPI and disclose it to third parties without additional authorizations.

According to Marketplace rules, you are prohibited from cross marketing to a SHOP client, even if you have written permission from the client to market, or you are in a face-to-face meeting. This is an important distinction from HIPAA where you can cross market in face-to-face meetings, or if you have a signed agreement from the client. You could be fined or prohibited from selling into the SHOP or FFM if you are found to be in violation of these cross marketing rules. It is permissible to leave a list of other services, and tell the client to call if they are interested.

HIPAA, GLB and ACA require you to protect personal information about your clients, adopt policies and procedures, provide privacy notices to your clients on a yearly basis, and ensure your staff understands their responsibilities. Most of these requirements for HIPAA, GLB and the ACA can be fulfilled with the same set of documents, which are part of the Total HIPAA compliance documents and training.

Smart multi-line agencies will take advantage of meeting federal requirements with one combined effort. Meeting these compliance requirements gives your organization a good reputation because it is clear you’re dedicated to taking all the steps possible in order to protect your clients’ information.

You’re a small medical practice whose head nurse goes out on maternity leave and you hire your mother-in-law, an RN, as a temporary replacement until she comes back. You’re an insurance company who has hired a part-time agent to work one day a week from home. Whatever the scenario, these full time employees, contract employees or independent contractors these employers hire have access to client or patient Protected Health Information. Employers are responsible for contractors and temporary employee’s compliance with HIPAA. The question is, what procedures should you follow?

Employee Classification

Since 2013, the Common Agency Provision of HIPAA in the Omnibus ruling states that you are responsible for your employee’s compliance.

Is your employee a contractor working exclusively for your company, an individual with other clients, or someone hired through a business? As an employer, you are not required to train these quasi employees, but your company will be responsible if one of these individuals breaches Protected Health Information.

Here is a recommendation:

If the employee is a contractor working exclusively for your company or a sole proprietor with other clients, you cannot expect the individual to generate Policies and Procedures for Privacy and Security as required of either a Business Associate or a Subcontractor BA. It is meaningless to ask them to sign a Business Associate Agreement or a Subcontractor Business Associate Agreement because they will not have the compliance infrastructure required by HIPAA.

Instead, ask them to sign a confidentiality agreement.These are a few of the items included in the confidentiality agreement provided by Total HIPAA:

What information is covered with the agreement

The types of information that can not be copied or modified

Information must be returned upon request by the employer

Disciplinary action for persons responsible for a breach of confidential information

Make sure these contractors are trained regularly on the HIPAA law and on your company’s Privacy and Security Policies and Procedures. You should require them to follow your company’s Security Policies and Procedures for things like firewalls and virus protection. Unfortunately, the employer is fully liable even if the independent contractor was malicious or criminal in creating the HIPAA breach.

If the employee is provided through a company with infrastructure, that company will need to meet the compliance standards as a business associate or a business associate subcontractor, which are the same requirements. Having these companies sign a Business Associate Agreement or Subcontractor BAA is a must.

HIPAA Training

Whether you are a Covered Entity, a Business Associate, or a Business Associate Subcontractor, make sure you provide HIPAA training to all your employees, contractors and temporaries that can access PHI. A Subcontractor who hires a worker has the same responsibility to train these people. The responsibility can extend down several layers.

It might be a pain, but before your contractor or temporary starts working, you must have either a signed Confidentiality Agreement, a BAA or a Subcontractor BAA in hand. This contractor must complete HIPAA training, too. Remember, if you don’t train all your workers, you open yourself up to potential breaches that can result in an HHS audit and potential fines.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was established to set national standards for the confidentiality, security, and transmissibility of personal health information. Violations of this Act can result in substantial fines to a practice ranging from $100 to $1.5 million. Healthcare providers can also be at risk for sanctions or loss of license. In order to reduce the risk of penalties or fines, medical practices should ensure their policies and procedures are regularly updated and employees receive on-going compliance training. Below are some of the most common HIPAA privacy violations and measures that can be taken to protect patient health information.

Database Breaches-

In 2015, data breaches cost the healthcare industry nearly 6 billion, with the average economic impact per organization totaling $2,134,800. Medical identity theft has more than tripled over the past five years, with almost a third of the US population having been affected. It can happen to any size organization or practice which is why it is important to take the appropriate security measures, such as firewalls, encryption, and password-restricted access to protect PHI.

Lost or Stolen Devices-

Another very common HIPAA violation is the theft of PHI through lost or stolen laptops, desktops, smartphones, and other devices that contain patient information. Mobile devices are the most vulnerable to theft because of their size; therefore, the necessary safeguards should be put into place such as password protected authorization and encryption to access patient-specific information.

Employees illegally accessing patient files-

Employees accessing patient information they are not authorized to is another very common HIPAA violation. Whether it is out of curiosity, spite, or as a favor for a relative or friend, this is illegal and can cost a practice substantially. In addition, individuals that use or sell PHI for personal gain can be subject to fines and even prison time.

Lack of training-

One of the most common reasons for a HIPAA violation is employees that are not familiar with HIPAA regulations. Often only managers, administration and nurses receive training even though HIPAA law requires all employees, volunteers, interns and anyone with access to patient information to be trained. Compliance training is one of the most proactive and easiest ways to avoid a violation.

Improper disposal of personal health information-

Personal health information should always be shredded or destroyed. It is also important to ensure the photocopier is not saving copies to its hard drive. If the copier is returned, sold, or discarded, without being properly wiped clean, this could also result in a HIPAA violation. Establishing and posting policies and procedures to make sure personal health information is locked, secured and disposed of appropriately will help to remind employees and prevent a potential violation.

Employees disclosing patient information –

Employees’ gossiping about patients to friends or coworkers is another very common HIPAA violation that can cost a practice a significant fine. Employees must be mindful of their environment, restrict conversations regarding patients to private places, and avoid sharing any patient information with friends and family.

Authorization Requirements-

A written authorization is required for the use or disclosure of any individual’s personal health information that is not used for treatment, payment, healthcare operations or permitted by the Privacy Rule. If an employee is not sure, it is always best to get prior authorization before releasing any information.

The privacy and security of patient health information should be a priority for all healthcare providers and professionals. Most violations can be easily be prevented by implementing HIPAA regulations into practice policies and procedures and ensuring that all individuals with access to patient information receive the proper training.

There are many important elements to implementing an effective HIPAA Program, but none are more important than completing a security risk analysis. Conducting a risk analysis will give your practice an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of your electronic protected health information.

Completing a security risk analysis is a required element. This means that most specifications must be evaluated and if applicable, implemented, in order to achieve compliance with the Security Rule. It is important to remember that certain specifications in the risk analysis are considered addressable, meaning it is up to the covered entity to determine (in writing) if the specification is a “reasonable and appropriate” safeguard for its environment, taking into consideration how it will protect ePHI.

According to the Security Rule, your security risk analysis should be broken down into the implementation of 3 categories of electronic protected health information safeguards: Administrative, Physical and Technical. The following is an overview of each category, including differentiation between those specifications that are required and those that are addressable.

ADMINISTRATIVE SAFEGUARDS

Administrative safeguards are administrative actions and functions to manage the security measures in place that protect electronic protected health information. Administrative safeguards must state how the covered entity will conduct oversight and management of staff members who have access to, and handle ePHI. Administrative safeguards include:

Risk Assessment (R)

Sanctions Policy (R)

Information System Activity Review (R)

Security Officer Assignment (R)

Security Awareness and Training (A)

Security Incident Procedures (R)

Disaster Recovery and Data Backup Plan (R)

Periodic Security Evaluations (R)

Business Associate Contracts (R)

PHYSICAL SAFEGUARDS

Physical safeguards are the mechanisms required to protect electronic systems, equipment, and the data they hold from threats, environmental hazards and unauthorized intrusion. It includes restricted access to ePHI and retaining off-site computer backups. Applying physical safeguards means establishing:

Facility Access Controls (A)

Workstation Use and Controls (R)

Device and Media Controls (R)

TECHNICAL SAFEGUARDS

Technical safeguards are the automated processes used to protect and control access to data. They include using authentication controls to verify that the person signing onto a computer is authorized to access that ePHI, or encrypting and decrypting data as it is being stored and/or transmitted. Technical Safeguards are:

Unique User Login (R)

Emergency Access Procedures (R)

Automatic Logoff (A)

Encryption and Decryption (A)

Audit Controls (R)

Authentication of Integrity of ePHI (A)

Authentication of Person or Entity (R)

Transmission Security (A)

Completing your security risk analysis is not only an essential component of your HIPAA program, but it will enable you to identify and rectify any risks and vulnerabilities to the access and confidentiality of your electronic protected health information. The results of your risk analysis will be used to determine the appropriate security measures to be taken. Be sure and revaluate your risk analysis periodically, especially if there have been any known or suspected threats to your security program.

We frequently get questions about whether or not an event is a HIPAA violation. Some of the events are hazy, others are clear-cut. We received an email from a nurse last week with a question. She received a postcard inviting her to a weight-loss clinic and get a $25 deduction even though she was not a previous user of their services.

We called her and discussed her concern. The nurse indicated she didn’t have a serious weight problem. The postcard was sent to her office where other people could see it and she was embarrassed. She said to me, “I’ve been trained on HIPAA and I think this is a clear-cut example of a breach.”

Although we’re not lawyers, we agree. First, she never signed any agreement that the weight-loss clinic could send marketing materials to her. Second, PHI was on a postcard addressed to her so anyone who sorted the mail could read the information.

Increasingly small businesses such as this weight-loss clinic are going to be scrutinized for their actions. More and more businesses that see or generate PHI such as rehabilitation clinics, group foster homes, long-term care facilities, social workers, accountants and shredding companies realize that they need to be HIPAA compliant.

One of the largest groups that must be compliant are employers who provide health benefits to employees and see Protected Health Information. If one of these organizations improperly releases information, the loss of trust will translate into a loss of clients and business.

Filing a Complaint

When an individual feels their Protected Health Information has been breached, they can file a complaint with the company, through HHS (HIPAA Complaint Portal Assistant and 1-800-368-1019). In several states, individuals can file with the State Attorney General Office, and we’ve seen in some states that protection of PHI is considered a standard of care, so patients are suing under malpractice laws. Although the fines and penalties are not currently shared with the individual, this may soon be available which will result in a feeding frenzy in the legal community.

Preparation

How do you prepare your staff so that violations of HIPAA like the one affecting the nurse, do not occur? Training your staff on the HIPAA law and on your organization’s unique policies and procedures is part of the HIPAA compliance process. Also, you are required to complete a risk assessment, and then convert the information captured in the risk assessment into privacy and security policies and procedures.

If you do it yourself, completing required documents takes between 40 and 60 hours. The question then is, did you capture all the required information and have you determined that your file sharing, email encryption, firewalls and virus checker are truly HIPAA compliant. Are these solutions the easiest to use and most cost-effective choices for your organization? Many times, companies say they are HIPAA compliant, but they have no documentation to back up the claim.

If you fit any of these groups: health insurance agent/broker, an employer offering health benefits to your employees, or business associate that can access health information about a client (shredding company, IT vendor, or accountant), find out if you need to be HIPAA compliant. This short survey will help you determine if you need to take action: *

When it comes to HIPAA compliance (i.e., adherence to regulations detailed in the Health Insurance Portability and Accountability Act of 1996), most health facilities are well versed on the Privacy Rule and its protection of personal medical information. They work hard to maintain patient trust by upholding the necessary privacy standards. But sometimes, even the most conscientious facilities let patients’ health details slip through the cracks.

How?

The rise of mobile technology and electronic medical records have left the health industry with a few harsh blind spots. Health information that is stored and/or transferred electronically (i.e., electronic protected health information, or ePHI) is highly susceptible to a HIPAA breach. So health organizations must be extra diligent to ensure they are fully safeguarding ePHI and remaining HIPAA compliant.

To help you take stock of your organization’s HIPAA security efforts, here are 4 tips for eliminating your HIPAA compliance blind spots:

#1: Limit Information Shared in Mobile Messages

In today’s fast-paced, mobile world, we often receive appointment confirmations or prescription refill notices via voicemail, text, or email. While this is convenient for health organizations and patients, it opens up the door for HIPAA security violations.

To keep a patient’s private health information out of the wrong hands, health organizations should limit the information they share in mobile messages. For instance, a prescription refill notice should not contain details of the specific prescription; it should simply notify the patient that it’s time for him or her to submit a refill request. Likewise, appointment confirmation messages should leave out any details regarding the specific reason for the appointment.

If a facility wants to take its privacy protection a step further, it can even limit its mobile messages to a simple request for a patient to call the facility for further information.

#2: Be Cautious of Open Text Fields

A lot of health organizations have moved their data collection efforts online in recent years, which means they are collecting new patient registrations or appointment requests with online forms. While using a HIPAA compliant data management system is a great (and necessary) way to protect patient data, a HIPAA breach is still possible if facilities aren’t careful.

Online forms that contain open text fields can inadvertently lead to HIPAA security violations. This is because patients may unknowingly share ePHI, such as current medications or medical conditions, in that free text space. For instance, when providing feedback on a patient satisfaction survey, a patient might state that his or her doctor was supportive and caring after delivering a cancer diagnosis.

To limit the sharing of ePHI on online forms, health organizations can add disclaimers next to any open text fields to warn patients not to include personal medical details in those fields. Or they can remove any open text space altogether.

#3: Evaluate Facility Advertisements

Online advertising—particularly on social media—is fairly new territory for health facilities. And for good reason. The healthcare industry is subject to deeper scrutiny than other industries when it comes to advertising, and those working in the industry are held liable for both truth in advertising and HIPAA compliance. This means they have to be super careful about what they publish for all to see.

If proper permission is not obtained, any use of a patient’s information or likeness in an advertisement could be a HIPAA breach. For instance, if a dermatologist posts photos of a patient’s skin before and after treatment, the patient’s identity could be compromised. Even if the post or advertisement contains only a portion of the patient’s face, his or her privacy could still be violated if family members or close friends recognize the patient.

To avoid violating HIPAA security laws when advertising online, healthcare organizations should take extra steps to evaluate all advertisements and ensure they aren’t improperly using identifiable patient photos or information.

#4: Avoid Use of Patient Names

This might seem like a no-brainer when it comes to protecting patient data, but facilities should avoid using patient names or other personally identifiable information when possible. As mentioned earlier, patients will sometimes share ePHI unknowingly when filling out online medical forms. To avoid tying patients directly to any sensitive information they might provide, health organizations can find ways to gather the information without using patients’ names.

For example, if a facility is simply surveying patients to help improve its overall services, the facility should consider gathering anonymous feedback. In other instances, when it is helpful or necessary to have a patient record tied to the information, organizations should consider using a unique identifier—such as a patient ID or account number—instead of a name.

When the Department of Health and Human Services (HHS) or the Office for Civil Rights (OCR) reaches out to health care organizations in response to a potential HIPAA investigation, auditors follow a very specific path toward contact, investigation, and resolution. Once a complaint is received and OCR has determined that it is legitimate, it will issue letters of notification to both the complainant and the recipient. These letters will outline a timeline for the investigation and will explicitly identify the investigating party as the OCR.

Once the investigation begins, OCR will collect and review documentation submitted by both parties. They may use any number of investigative methods including interviews and onsite visits to determine if there is sufficient evidence to support the allegations. Once again, OCR will send a letter explaining their findings. Resolutions will then vary depending on the outcome of their investigation.

HIPAA Audit Survival

HIPAA audit survival starts with keeping informed about OCR procedures. Knowledge is power. In this case, being aware and prepared is the best way to prepare your practice for a potential investigation. OCR will only contact you directly via a certified letter or email. Disreputable parties regularly attempt to lure unsuspecting practitioners into buying “certification” services that are fraudulent.

FACT: There is no certifying body for HIPAA compliance by any federal or private entity–any organization that claims otherwise is using misleading or potentially fraudulent language.

Your best defense then is to keep in mind the above described process, and stop communicating with any party that suggests a deviation from the standard procedure outlined.

Next, if you’re unsure if you’ve been contacted by a federal agency or not, ask the sender to confirm the identity of their organization, then verify them with a google search about their services

If your organization receives an email or call from an entity claiming that you need to have a “Mandatory HIPAA Risk Assessment Review with A Certified HIPAA Compliance Adviser” be on full alert. This deviation from the official procedure described above will let you know that the caller is not providing a legitimate notice from a federal or state regulatory agency. Do not feel obligated to provide or share any of your information if you receive such notice.

Check the source of the email. These fraudulent emails are being sent from sources such as ‘OSOCRAudit@hhs-gov.us‘, while a legitimate OCR email will be sent from ‘OSOCRAudit@hhs.gov‘. The distinction is subtle, but that’s characteristic of scams such as these.

To protect yourself, be leery of misleading language and marketing efforts targeted at health care professionals by such third party organizations. Some such advertising will occasionally try to leverage the threat of a federal offense to garner a sale of technology that isn’t legal. This type of fraud has become so widespread that OCR has responded to this unlawful conduct with a statement telling health care officials not to follow any of the links in the email. For more information on how to mitigate HIPAA breaches and fines, check out these upcoming HIPAA educational webinars brought to you by Telemental Health’s HIPAA compliance affiliate, the Compliancy Group. Simplify HIPAA today with TMHI’s HIPAA Compliance Resource, the Compliancy Group!*

Introduction

Several provisions of the Health Insurance Portability and Accountability Act of 1996, or HIPAA, were intended to encourage electronic data interchange (EDI) and safeguard the security, privacy, and confidentiality of patient health information In the context of this act, security is the means by which confidentiality and privacy are insured. Confidentially defines how patient data can be protected from inappropriate access, while privacy is concerned with who should have access to the patient data. This article explores how the policies stipulated by HIPAA are shaping the practice of medicine and will likely affect your practice in the future.

HIPAA Security vs Innovation

If you're a typical small-practice physician, odds are that you view HIPAA as simply another federally mandated cost of practicing medicine, regardless of the intended outcome of the act. This position is understandable, given the cost of mandated training for you and your office staff. Furthermore, if your practice is computerized, then you'll need to spend even more money on software upgrades and possibly additional training from the vendor.

HIPAA rules and regulations are complex, in part because much of compliance is open to interpretation. For example, security issues, which are predominantly in the domain of software and hardware vendors, are based on “risk assessment,” not specific technology standards. The act doesn't stipulate specific technologies or endorse nationally recognized procedures, but leaves it up to the physician practice or medical enterprise to ensure that patient health data are secure. (HIPAA's security standards take effect on April 20, 2005, for all “covered entities” except small health plans). However, because HIPAA enforcement is complaint-driven – there are no “HIPAA Police” checking to see that your practice meets the law's requirements – differences in interpretation of the act are likely to end up in a courtroom at some point. For this reason, some experts recommend assessment of HIPAA compliance by outside counsel.

Most physicians are understandably concerned with the immediate compliance issues surrounding HIPAA and privacy and confidentiality of patient data. Even though the security standards were designed to be “technology-neutral,” the vagaries of these requirements are having a direct impact on medicine beyond the acute phase of compliance, especially in the introduction of new technologies in the clinical arena. New technologies, from wireless to tablet PCs, bring with them added functionality, potential workflow enhancements, and efficiencies – as well as new HIPAA security compliance issues.

Consider, for example, the effect of HIPAA's privacy rules on a physician contemplating the purchase of a Palm Pilot or other PDA. Even late adopters have probably observed the benefit of PDAs. Need to share patient data? Just beam it across the infrared link from one PDA to the next. Need to review patient lab data? Just touch the screen and the data are only a second away.

But it isn't that simple once HIPAA enters into the picture. Now a PDA carrying patient data is a compliance concern, as HIPAA's privacy rule applies to all mediums of a patient's protected health information, whether it's print, verbal, or electronic. Does your PDA have a login and auto logout feature? If not, then anyone could take your PDA and look up patient data. Consider the liability issues if you forgot your PDA at a coffee shop and someone picked it up and scanned through your list of patients. But with a login screen, one of the major benefits of a PDA – instant access to data – is lost.

If you use one of the wireless PDAs, such as the BlackBerry, then there are additional HIPAA-related issues: Does your PDA support the encryption of email and patient data it sends over the Internet? Is the encryption enabled? Is the level of encryption good enough for HIPAA?

Perhaps you've been considering adding a wireless (WiFi) LAN to your clinic or practice. You may have good reason to; wireless will allow you to carry a laptop into examining rooms for decision support and not have to worry about Ethernet cords. But considering HIPAA, is your WiFi system secure? Is the data encryption good enough? If not, will you have to buy new PCs and PDAs, or simply upgrade the operating systems? Do you need to hire a consultant? Maybe it's easier to simply string cables to each office and forget about the laptop this year. Or maybe it would be better to hold off on the computer-assisted decision support project altogether.

Paradoxically, although proponents of HIPAA once thought that it would enhance the move toward the electronic medical record (EMR), I believe that it is having the opposite effect. Because of the uncertainty surrounding HIPAA compliance and whether the legal system will be swamped with cases alleging violations of privacy, it's simply safer for small practices to stay with paper charts, and let the big medical practices deal with the inevitable lawsuits.

This brings up another cost issue: Does your insurance cover a patient suit over HIPAA? If so, how inclusive is the insurance? For example, let's say your practice regularly sends digital audio files overseas for transcription. You send the audio files and receive text documents a day later. Do you know how the patient data are handled at the transcription service? If a transcriptionist overseas decides to protest his or her low wages by posting a transcription of your patient's clinic visit openly on the Web, are you liable? Will your insurer pay? This example isn't as far-fetched as it might seem. In October 2003, a disgruntled Pakistani transcriber threatened the University of California-San Francisco over back pay.She threatened to post patients' confidential files on the Internet unless she was paid more money. To show that she was serious, she sent UCSF an unencrypted email with a patient record attached.

HIPAA Compliance in 2017 is a key issue that many doctors are focussed on.

Since 1996, the The Health Insurance Portability and Accountability Act has been in place, giving physicians and their teams reasons to guard their patient privacy closely.

Depending upon the type of the breach, physicians can be liable for between $100 to $50,000 for each violation. The maximum HIPAA Violation is $1.5 million for identical provisions during a calendar year. Some HIPAA violations can lead to imprisonment in extreme circumstances. This is why HIPAA compliance in 2017 is such an important factor for doctors.

To ensure that your practice has effective HIPAA compliance in 2017, here are 5 steps to follow:

1) Correct Sharing of Patient Information

If your staff discuss patients’ names, addresses and or insurance plans at check-in, you are technically breaching patient confidentiality. Make sure patients and office staff have a way to discuss insurance or change of address in private. Also, create a quiet place for phone calls to occur. Even if you’re just calling a patient to setup or confirm an appointment, it is better to do this in a private area if possible.

2) Secured Paper Files

While paper charts are slowly becoming a relic, it is important that past files are stored securely.Doctors who have moved to using an EHR for all patient records may still have old patient files that need to be transferred. Once converting from paper documents to electronic format is complete, be sure to shred any patient records before you dispose of them.

If your medical practice still uses paper documents, be sure not to leave them in unsecured or unattended areas. This includes charts, paperwork and forms that patients bring in from other practices that they are filed and stored securely.

3) Encrypted Emails

Never underestimate the importance of email encryption, even for seemingly innocent files. The use of non-encrypted email services, such as gmail, outlook, yahoo and other well known email services can cause a risk of hackers being able to access your information. For this reason, you should consider an encrypted email or file sharing service for pertinent patient information.

When sending bulk emails to patients, or many emails in a row, it is easy to overlook the address it is being sent to. You can put patients at risk and you can lose their trust, simply because you didn’t double-check your recipient address or an email attachment.

This is one of those areas where slow, steady careful checking pays off.

4) HIPAA Secured Patient Portals

If you use or are considering creating a patient portal, ensure it has secure login compliance. Any personal patient information should not be easily accessible without a username and password.

If sharing information with family members of patients, be sure to get written authorization from the patient first. A good practice is to require identity verification for password reminders. You can also remind patients to access their patient portal when they have a secure internet connection (i.e. not in public places).

5) Ensure your Telemedicine platform is HIPAA compliant

Some doctors have considered using Skype or Facetime to communicate with patients. While they are great free platforms for video chat, the reality is the weren’t designed to be HIPAA-compliant.

The challenge is that even though a doctor can ensure their Internet connection is secure, there is very little they can do to make sure everything is secure on the the patient’s receiving end.

Another alternative is to ensure the is a Business Associate Agreement in place. The same issues arise with security for text messaging, so be sure to use HIPAA compliant texting tools here as well. The solution here is to ideally use a HIPAA compliant application designed for Telemedicine.

Doctors may have several HIPAA violations without getting fined, but that doesn’t mean it isn’t a negative for your practice. Having HIPAA Compliance in 2017 is as important as it has been for the past 20 years.

When doctors treating patient information caution they can and enjoy the peace of mind that comes with being HIPAA compliant.

No matter what business you’re in, information and technology management is important for success. But in the health-care realm, the ability to keep data safe and secure is even more paramount. That’s because government regulations mandated by the Health Insurance Portability and Accountability Act (HIPAA) state that all protected health information must be strictly protected — and that any breach of such information must be reported immediately.

In addition, the HITECH Act expanded the scope of who was responsible for meeting HIPAA regulations by including any third-party business associate that handles or processes personal health information for a covered entity like a hospital, insurance company, or medical provider. That means financial, accounting, legal, billing, claims processing, and IT firms that work with the health-care industry, along with all of the third-party vendors that they use.So why does HIPAA-compliant IT support matter? With the new breach notification requirements, companies that mishandle health information can now be audited, fined, or slapped with civil or criminal charges. And that doesn’t even take into account the hit to a company’s reputation that comes with a data breach.Take the recent announcement that Anthem, Inc., the second-largest health insurance provider in North America, inadvertently exposed the medical information, Social Security numbers, and email addresses of over 80 million consumers. Regulatory fines will certainly be forthcoming — but tens of thousands of Anthem clients have already filed class-action lawsuits against the company, as well.In our current data breach-sensitive day and age, the revelation of a situation like Anthem’s can lead to productive changes in the world of HIPAA-compliant IT support. Unfortunately, some of those changes include major IT providers deciding to walk away from the health-care industry altogether.At CMIT Solutions, we’ve put in the extra time and effort to make sure our IT solutions are HIPAA-compliant. Below are some of the most important ones that small businesses rely on:• Data encryption. HIPAA regulations require that data be encrypted at rest in the data centers where it resides, in transit across the Internet, and to and from the cloud. Anthem’s data breach resulted from data on its servers not being encrypted, presumably so employees had easier access to it. But such shortcuts are reflective of outdated IT policies that don’t meet today’s needs.• Strong backup, recovery, and eradication capabilities. HIPAA rules dictate several requirements for storing data: backups must reside in certain locations; retrieval of data must be overseen through access control and login monitoring; data must be kept available, even in the event of a disaster; and old storage systems must be destroyed, not reused. No small business owner should be expected to add worries to his or her day-to-day duties — that’s what a HIPAA-compliant IT provider is for.

• Tested policies and procedures. This might not seem to fall under the IT umbrella, but best-practices policies and procedures can save your business from a HIPAA-related disaster down the road. A trustworthy and truly HIPAA-compliant IT provider will have Business Associate Agreements, Privacy and Security Rule Risk Assessments, and other documents ready for your perusal and implementation.At CMIT Solutions, we understand the complexities of IT support for the health-care industry, and we’ve worked hard to meet HIPAA regulations. We offer proven solutions that can deliver positive outcomes and an unparalleled level of care while increasing your efficiency and productivity. Contact us today to find out how we can be your all-in-one IT provider.

When it comes to HIPAA compliance (i.e., adherence to regulations detailed in the Health Insurance Portability and Accountability Act of 1996), most health facilities are well versed on the Privacy Rule and its protection of personal medical information. They work hard to maintain patient trust by upholding the necessary privacy standards. But sometimes, even the most conscientious facilities let patients’ health details slip through the cracks.

How?

The rise of mobile technology and electronic medical records have left the health industry with a few harsh blind spots. Health information that is stored and/or transferred electronically (i.e., electronic protected health information, or ePHI) is highly susceptible to a HIPAA breach. So health organizations must be extra diligent to ensure they are fully safeguarding ePHI and remaining HIPAA compliant.

To help you take stock of your organization’s HIPAA security efforts, here are 4 tips for eliminating your HIPAA compliance blind spots:

#1: Limit Information Shared in Mobile Messages

In today’s fast-paced, mobile world, we often receive appointment confirmations or prescription refill notices via voicemail, text, or email. While this is convenient for health organizations and patients, it opens up the door for HIPAA security violations.

To keep a patient’s private health information out of the wrong hands, health organizations should limit the information they share in mobile messages. For instance, a prescription refill notice should not contain details of the specific prescription; it should simply notify the patient that it’s time for him or her to submit a refill request. Likewise, appointment confirmation messages should leave out any details regarding the specific reason for the appointment.

If a facility wants to take its privacy protection a step further, it can even limit its mobile messages to a simple request for a patient to call the facility for further information.

#2: Be Cautious of Open Text Fields

A lot of health organizations have moved their data collection efforts online in recent years, which means they are collecting new patient registrations or appointment requests with online forms. While using a HIPAA compliant data management system is a great (and necessary) way to protect patient data, a HIPAA breach is still possible if facilities aren’t careful.

Online forms that contain open text fields can inadvertently lead to HIPAA security violations. This is because patients may unknowingly share ePHI, such as current medications or medical conditions, in that free text space. For instance, when providing feedback on a patient satisfaction survey, a patient might state that his or her doctor was supportive and caring after delivering a cancer diagnosis.

To limit the sharing of ePHI on online forms, health organizations can add disclaimers next to any open text fields to warn patients not to include personal medical details in those fields. Or they can remove any open text space altogether.

#3: Evaluate Facility Advertisements

Online advertising—particularly on social media—is fairly new territory for health facilities. And for good reason. The healthcare industry is subject to deeper scrutiny than other industries when it comes to advertising, and those working in the industry are held liable for both truth in advertising and HIPAA compliance. This means they have to be super careful about what they publish for all to see.

If proper permission is not obtained, any use of a patient’s information or likeness in an advertisement could be a HIPAA breach. For instance, if a dermatologist posts photos of a patient’s skin before and after treatment, the patient’s identity could be compromised. Even if the post or advertisement contains only a portion of the patient’s face, his or her privacy could still be violated if family members or close friends recognize the patient.

To avoid violating HIPAA security laws when advertising online, healthcare organizations should take extra steps to evaluate all advertisements and ensure they aren’t improperly using identifiable patient photos or information.

#4: Avoid Use of Patient Names

This might seem like a no-brainer when it comes to protecting patient data, but facilities should avoid using patient names or other personally identifiable information when possible. As mentioned earlier, patients will sometimes share ePHI unknowingly when filling out online medical forms. To avoid tying patients directly to any sensitive information they might provide, health organizations can find ways to gather the information without using patients’ names.

For example, if a facility is simply surveying patients to help improve its overall services, the facility should consider gathering anonymous feedback. In other instances, when it is helpful or necessary to have a patient record tied to the information, organizations should consider using a unique identifier—such as a patient ID or account number—instead of a name.

As an Iraq war veteran, I served as a physician with an infantry unit on the streets of Fallujah.

During the seizure of the city, we always were reminded by our commanding officers of the importance of protecting our borders.

As physicians, I believe we need to be aware and vigilant of protecting our privacy borders.

Health Insurance Portability and Accountability Act, better known as HIPAA was passed by Congress in 1996. From that time forward, protecting the borders and not leaking confidential protected health information became a physician’s priority.

As a medical student back then, I was warned never to discuss a patient in an elevator or the hospital cafeteria.

Easy enough, I presumed.

I soon learned however, that just as in Iraq, protecting borders is never an easy task.

Since 2009, there have been more than 800 patient data breeches and 29 million patient records affected by HIPAA violations, according to the 2013 Redspin Breach Report.

These date breaches can also strain the wallet. Depending on the scale of the breach, fines for HIPAA violations can start at $100 and can go as high as $50,000, capping at $1.5 million annually. Fines aren’t the only consequence practitioners face – a HIPAA violation can break the trust that patients have with their physicians.

Smaller practices are at risk as much as large organizations. It becomes harder to keep track of electronic communication within the practice when patients and staff have mobile devices and can be unaware of how easily HIPAA rules can be violated.

For example, an employee may think it is harmless to use his smartphone to post a picture or video of a patient. Well-intentioned employees may post or text an interesting physical exam finding. Even something as harmless taking a picture of food may violate HIPPA when the employee does not realize the lunch is sitting on a patient chart.

As a doctor working to protect my patients and myself, here are some useful tips to protect your borders and remain HIPPA compliant:

Administrative borders: designate security responsibilities, train staff to know the consequences of HIPAA breaches, take a monthly review of user activity, have stringent policy enforcement across all roles.

HIPAA Violations are a constant threat to doctors running a medical practice. Since 1996, the The Health Insurance Portability and Accountability Act has been in place, giving physicians and their teams reasons to guard their patient privacy closely.

Depending upon the type of the breach, physicians can be liable for $100 up to $50,000 for each violation, with a maximum of $1.5 million for identical provisions during a calendar year.

Worse than this, some violations can lead to imprisonment in extreme circumstances. (For a full guide to the levels of HIPAA violation, you can review this guide.)

For these reason, as well as securing and safe-guarding your patient security, it is very important to know which HIPPA violations to avoid. Essentially, if you violate HIPAA, you’re risking the information of your patients, as well as potentially your credibility and reputation as a professional.

Here are a group of HIPAA violations doctors may wish to avoid:

1) Discussing patient information publicly

If your staff discuss patients’ names, addresses and or insurance plans at check-in, you are technically breaching patient confidentiality. Make sure patients and office staff have a way to discuss insurance or change of address in private. Also, create a quiet place for phone calls to occur. Even if you’re just calling a patient to setup or confirm an appointment, it is better to do this in a private area if possible.

2) Paper files in Non-Secure Locations

The days of having paper charts are fading away, as more and more doctors move to using an EHR for all patient records. If you still use any form of paper documents, be sure not to leave them in unsecured or unattended areas. Also be wary of charts, paperwork and forms that patients bring in from other practices that they are filed and stored securely.

Also, if you are converting from paper documents to an electronic office, be sure to shred any patient records before you dispose of them.

3) Non-Encrypted Email or Sending Incorrect emails

Never underestimate the importance of encryption, even for seemingly innocent files. The use of non-encrypted email services, such as gmail, outlook, yahoo and other well known email services can cause a risk of hackers being able to access your information. For this reason, you might consider an-encrypted email or file sharing service for pertinent patient information.

Along with this, make sure to consider that you are sending patient information to the correct recipient. When sending bulk emails to patients, it is easy to overlook the address it is being sent to. You can put patients at risk and you can lose their trust, simply because you didn’t double-check your recipient or an email attachment. This is one of those areas where slow, steady careful checking pays off.

4) Unsecured Patient Portals

If you use or are considering creating a patient portal, make it has secure login compliance, so that any personal patient information is not easily accessible without a username and password.

When it comes to families who can share information, be sure to get authorisation from a patient first. A good practice is to require identity verification for password reminders, and you might also remind your patients to access their patient portal when they have a secure internet connection.

5) Non-HIPAA video chat

Some doctors have considered using Skype or Face-time to communicate with patients. While they are great free platforms for video chat, the reality is the weren’t designed to be HIPAA-compliant.

The challenge is that even though a doctor can ensure their Internet connection is secure, there is very little they can do to make sure everything is secure on the the patient’s receiving end. Another alternative is to ensure the is a Business Associate Agreement in place. The same issues arise with security for text messaging, so be sure to use HIPAA compliant texting tools here as well. The solution here is to ideally use a HIPAA compliant application designed for Telemedicine.

Doctors may have several HIPAA violations without getting fined, but that doesn’t mean it isn’t a negative for your practice. A data breach of any kind can damage your practice reputation even without your knowledge. By treating all patient information with the same caution you can and enjoy the peace of mind that comes with being HIPAA compliant.

Sharing your scoops to your social media accounts is a must to distribute your curated content. Not only will it drive traffic and leads through your content, but it will help show your expertise with your followers.

Integrating your curated content to your website or blog will allow you to increase your website visitors’ engagement, boost SEO and acquire new visitors. By redirecting your social media traffic to your website, Scoop.it will also help you generate more qualified traffic and leads from your curation work.

Distributing your curated content through a newsletter is a great way to nurture and engage your email subscribers will developing your traffic and visibility.
Creating engaging newsletters with your curated content is really easy.